Skip to content

[Bug] #5601

New issue
New issue
Open
Open
[Bug]#5601
Labels
documentation
@rissinghal

Description

@rissinghal
rissinghal
opened on Nov 25, 2025

Make sure that your question or issue is not already covered in MSAL docs or samples.

Documentation related to component

https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/web-apps-apis/client-credential-flows
https://learn.microsoft.com/en-us/entra/msal/dotnet/advanced/proof-of-possession-tokens

Please check those that apply

  • typo
  • documentation doesn't exist
  • documentation needs clarification
  • error(s) in example
  • needs example

Description of the issue

Hello team,
We are migrating a daemon/background service (Model-D) to Durable App-Only tokens using MSAL.NET client credential flow as per Client Credential Flows guidance.This is required for an SFI Task - https://o365exchange.visualstudio.com/IDEAs/_workitems/edit/5911394/. Description has the guidance on using MSAL.net Client Credential Flow.

Our target resource is Admin.omap, which enforces PopRequired=true in its OMAP configuration - https://o365exchange.visualstudio.com/O365%20Core/_git/M365CoreAuth?path=/sources/dev/Security/src/TokenIssuerOMAPs/Omap/AdminApi.omap&version=GBmaster&line=6870&lineEnd=6871&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents.

This means that for all token acquisitions, we must use the tenant-specific authority - https://login.windows.net/{tenantId} and request the resource scope - https://outlook.office365.com/.default via the client credential flow.
Instead of sending a standard Bearer token in the Authorization header, we are required to send a Proof-of-Possession (PoP) token.

Tried to follow above docs attached but it's throwing 401. In addition to this, seems like WithProofOfPossession is deprecated and WithSignedHttpRequestProofOfPossession is experimental. What is the suggestion for this ?

This is our current implementation - https://o365exchange.visualstudio.com/O365%20Core/_git/LighthouseCore?path=/sources/dev/Core/HttpClient/Source/Authenticators/ExoAuthenticator.cs&version=GBmaster&line=106&lineEnd=107&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents

Thanks

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions